Guest poster Mike Kicklighter has built his career and skills inside international banks, corporates, and global exchanges. He has worked up close with the Swedish personal data privacy law (PUL) and has managed projects involving the protection, administration, and transfer of sensitive details for tens of thousands of people. He personally has been the target of spear phishing and has ‘won’ the Spanish el Gordo Lottery without ever having played. //
“It’s Bob, he says he’s from the IRS…”
I’ve seen a lot of things over the years working as a financial services consultant. I change assignments fairly regularly and have kept up to date on technology, trends, and new regulations. The job is often like solving a big puzzle. Find the corner pieces and edges and get to work. There is a lot of activity at work regarding FATCA right now.
The other day a person in my network asked me to look at an email sent to him from the Internal Revenue Service. It had an ‘@irs.gov’ sender address, professional graphics and at first glance all the superficial signs of legitimacy.
He asked, “What do I do?” After a simple gut-check I told him not to open it.
First, it was email – from the IRS. Second, it had a .ZIP attachment and for the life of me I couldn’t imagine the IRS managing .ZIP files in their organization. I guessed it was probably a virus / trojan or phishing attempt and if I hadn’t been there they would have opened the email and attachment. Who knows what would have happened next? Who knows if it was legitimate!
It was then it struck me – there is a missing corner piece in the FATCA puzzle – a frighteningly serious one and it isn’t about business integration, service management, or customer support…It is about IDENTIFICATION. There is absolutely no way for a foreign employee sitting on this side of the Atlantic to verify the identity of an IRS employee or legitimate IRS request. Zero.
Responsibility sits with the US government.
Every foreign employee I have met knows FATCA is holding US dollar payments like a club over the head over their employer. When FATCA was pushed onto the world it kicked-off by avoiding the established state-to-state relationships that have functioned for decades. As a result, instead of taking instructions from the established local authorities the US is aggressively inserting itself as a local regulator.
Now, when the US fills the role of a local regulator on foreign soil under the umbrella of FATCA, it does so without providing any authorization channels or any means of verifying the identities of its staff overseas. I am guessing we can forget any multi-time zone, multilingual service desks…
A hypothetical conversation at a foreign IT shared service center (in English for convenience):
> Hey, it’s Bob from the IRS, he says we need to send another US data file. Servers are being patched in his time zone – need to send it to a mirror site.
>>Ok, everything?
>Yeah, he’s on the phone. They want kids details too – Sounds important …but shouldn’t we get some approval first? We’ve never used that server before.
>>Nah, Americans aren’t covered by any data privacy restrictions like we are. Just send it, I don’t want to get in any trouble.
>Done! It’s on the way …
It really can go that quick. A matter of minutes and no way to recall. Does the US really grasp the consequences of forcing the world to track down its citizens? Have they considered where this data may end up next? How it can be misused?
Several million Americans are about to find out. I am afraid that in the near future the personal and financial details of many Americans overseas will be up for grabs on torrent servers, dumped in internet paste bins and burned to DVDs that get ‘lost’ – solely because of FATCA and their inability to function as a local regulator overseas – much less manage a multi-time zone, multilingual, international support operation.
Just ask an international bank how easy that is.